SlideShare a Scribd company logo

Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology

Michael Gough
Michael Gough

MalwareArchaeology - What you need to know to get started using Windows File Auditing to catch malware and malicious behavior

Technology
1 of 6
Download to read offline
Oct 2016 ver 1.2 MalwareArchaeology.com Page 1 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later RESOURCES: Places to get more information 1. MalwareArchaeology.com/cheat-sheets - More Windows cheat sheets and scripts to assist in your audit settings. 2. Log-MD.com – The Log Malicious Discovery tool reads security related log events and settings. Use Log-MD to audit your log settings compared to the “Windows Logging Cheat Sheet” and Center for Internet Security (CIS) to help with configuring your audit policy and refine file and registry auditing. List Event ID 4663 to see what files and folders might be noise and can be removed from your audit policy. 3. technet.microsoft.com – Information on Windows auditing 4. https://msdn.microsoft.com/en-us/library/bb742512.aspx - Using Security Templates to set audit policies 5. Google! – But of course. WHY AUDIT FILES AND FOLDERS: Files are often added or changed by hackers and malware. By auditing key file and folder locations, any additions or changes made by an attacker can be captured in the logs, harvested by a log management solution and potentially alerted on or gathered during an investigation. Building a base configuration for file and folder auditing provides you a great starting point to build upon. As you mature your logging program, you can build upon and develop it as you find new locations that are important to monitor. We recommend as a part of any Information Security program that you implement and practice “Malware Management”. You can read more on what “Malware Management” is and how to begin doing in here:  www.MalwareManagement.com The basic idea of Malware Management is, as you find file and folder locations reported in an incident response firm’s malware analysis, virus/malware reports and your own incidents and investigations, you can expand on the base auditing listed in this cheat sheet and make it more mature and applicable to your specific needs or requirements. This “Windows File Auditing Cheat Sheet” is intended to help you get started with basic and necessary File and Folder Auditing. This cheat sheet includes some very common items that should have auditing enabled, configured, gathered and harvested for any Log Management, Information Security program or other security log gathering solution. Start with these settings and add to the list as you understand better what is in your logs and what you need to monitor and alert on.
Oct 2016 ver 1.2 MalwareArchaeology.com Page 2 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later ENABLE AND CONFIGURE:: 1. FILE AUDITING: In order to collect file and folder auditing events (Event ID 4663) you must first apply the settings found in the “Windows Logging Cheat Sheet”. These settings will allow a Windows based system to collect any events on files and folders that have auditing enabled. CONFIGURE: 1. LOCAL LOG SIZE: Increase the maximum size of your local Security log. Proper auditing will increase log data beyond the default settings, your goal should be to keep local security logs for around 7 days.  Security log set to 1GB (1,000,000KB) or larger (yes this is huge compared to defaults) INFORMATION: 1. EVENT ID: There is only one Event ID that will appear in the Security log when file and folder auditing is enabled, 4663.  4663 - An attempt was made to access an object. This is the only Event ID that will record the details of the folder(s) and file(s) created as well as the process name that performed the actions. REFINING AUDITING: When using file and folder auditing, refinement will be needed in order to collect only the entries having actual security value. Enabling folders that have a high rate of changes will fill up your logs causing them to rotate faster than you might want to retain them and miss files you might actually want to catch. In addition, logging more than you need when using a log management solution will have a potential impact to licensing and storage requirements. It is important to test and refine file and folder auditing before applying it across your organization. Use Log-MD to assist you in refining your file and folder audit policy which can be found here:  Log-MD.com If you are examining malware in a lab for example, or doing an incident response investigation, over auditing may be perfectly acceptable. Use the built-in Windows wevtutil.exe utility, PowerShell (get-eventlog), a security log tool like Log- MD or your log management solution to review what is being captured and remove files and folders that are excessively noisy and do not have significant security importance. When setting auditing of files and folders there are some decisions on what to monitor. Using Explorer to select the folder and set the auditing manually, you can see what options there are as seen from the image below. The goal of this cheat sheet is to get you started using file and folder auditing on well-known folders and to enable just enough to provide security value, but not too much as to create a lot of useless noise. What follows is our recommendation to get started which you may tweak and improve as you need. The main goal is to look for things that are newly added by hackers and/or malware. Monitoring for all changes is rather noisy and excess noise could cause you to miss a simple file creation.
Oct 2016 ver 1.2 MalwareArchaeology.com Page 3 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later CONFIGURE: Select a Folder or file you want to audit and monitor. Right-Click the Folder, select Permissions – Advanced – Auditing – Add – EVERYONE – (check names), OK. 1. Apply onto – “THIS FOLDER and FILES” or “THIS FOLDER, SUBFOLDERS and FILES” (or what you want/need). 2. Select ‘Create files / write data’, ‘Create folders / append data’, ‘Write extended attributes’, ‘Delete’, ‘Change permissions’ & ‘Take ownership’ to audit. 3. Be careful, setting auditing to ‘This folder, subfolders and files’ as this can generate a lot of data and thus noise. CONFIGURE: These are the only items that are recommended be set to optimize what is needed security wise and keep noise to a minimum. You may expand on these settings as necessary for your environment, but these settings are a good place to start. User:  EVERYONE Applies to:  “This folder, subfolders and files” – Audit all items in this folder and all subfolders OR  “This folder and files” - Audit only the files in this folder and NOT the subfolders Access: Only select these items to keep down on the noise  Create files / write data – File created  Create folders / append data – Folder created  Write extended attributes – Metadata that can be placed in a file  Delete – File is deleted  Change permissions – permissions of a file change  Take ownership – ownership changed
Oct 2016 ver 1.2 MalwareArchaeology.com Page 4 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later CONFIGURE: Recommend Folder and Files to enable auditing on 1. FOLDERS TO AUDIT: THIS FOLDER AND FILES ONLY: Do NOT audit subfolders on these directories  C:Program Files  C:Program FilesInternet Explorer  C:Program FilesCommon Files  C:Program Files (x86)  C:Program Files (x86) Common Files  C:ProgramData  C:Windows  C:WindowsSystem32  C:WindowsSystem32Drivers  C:WindowsSystem32Driversetc  C:WindowsSystem32Sysprep  C:WindowsSystem32wbem  C:WindowsSystem32WindowsPowerShellv1.0  C:WindowsWeb  C:WindowsSysWOW64  C:WindowsSysWOW64Drivers  C:WindowsSysWOW64wbem  C:WindowsSysWOW64WindowsPowerShellv1.0 THIS FOLDER, SUBFOLDERS AND FILES:  C:Boot  C:Perflogs  Any Anti-Virus folder(s) used for quarantine, etc.  C:UsersAll UsersMicrosoftWindowsStart MenuProgramsStartup  C:UsersPublic  C:Users*AppDataLocal  C:Users*AppDataLocalTemp  C:Users*AppDataLocalLow  C:Users*AppDataRoaming  C:WindowsScripts  C:WindowsSystem  C:WindowsSystem32GroupPolicyMachineScriptsStartup Consider Scripts if no other dirs  C:WindowsSystem32GroupPolicyMachineScriptsShutdown  C:WindowsSystem32GroupPolicyUserScriptsLogon Consider Scripts if no other dirs  C:WindowsSystem32GroupPolicyUserScriptsLogoff  C:WindowsSystem32Repl Servers only   C:WindowsSystem32Tasks  C:Windowssystem32configsystemprofileAppData  C:WindowssysWOW64sysprep
Oct 2016 ver 1.2 MalwareArchaeology.com Page 5 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later CONFIGURE:: EXCLUDE NOISY ITEMS: These folders will create events that do not provide much value. After setting auditing on the parent folder, remove auditing from these folders and any other files and folders you find overly noisy with little security benefit.  C:ProgramDataMicrosoftRACTemp  C:ProgramDataMicrosoftRACPublishedDataRacWmiDatabase.sdf  C:ProgramDataMicrosoftRACStateDataRacDatabase.sdf  C:ProgramData<Anti-Virus>Common Framework Insert your AV folder(s)  C:ProgramDataMicrosoftSearchDataApplicationsWindowsMSS.chk  C:ProgramDataMicrosoftSearchDataApplicationsWindowsMSS.log  C:Users*AppDataLocalGDIPFONTCACHEV1.DAT  C:Users*AppDataLocalGoogleChromeUser Data  C:Users*AppDataLocalMicrosoftWindowsExplorerthumbcache_*  C:Users*AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5  C:Users*AppDataLocalMicrosoftOffice  C:Users*AppDataLocalMicrosoftOutlook  C:Users*AppDataLocalMicrosoftWindowsPowerShellCommandAnalysis  C:Users*AppDataLocalMozillaFirefoxProfiles  C:Users*AppDataLocalLowMicrosoftCryptnetUrlCache  C:Users*AppDataRoamingMicrosoftExcel  C:WindowsSysWOW64configsystemprofileAppDataLocalLowMicrosoftCryptnetUrlCache  Any other normal applications that you have installed that produce a lot of log entries without significant security value. OPTIONS TO SET FILE AUDITING: There are four ways to set file and folder auditing on each folder: 1. Create a security template that is applied using Group Policy and/or secedit. This is the most effective way of doing it for a large amount of systems. a. https://msdn.microsoft.com/en-us/library/bb742512.aspx 2. Set with a PowerShell script. Though this method does not work on certain directories owned by TrustedInstaller and changing the ownership is not recommended 3. Set with a SetACL.exe, a utility by www.helgeklein.com 4. Set manually via Explorer. This does not scale as each system must be set manually, but may be fine for a malware lab or investigation of a single or a few systems. PREFETCH FOLDER AUDITING: Auditing the Windows Prefetch or Superfetch folder is a good forensic addition since it will not generate very much log data. In Win 7 and later with systems with an SSD, it is disabled. Enabling on Servers is an option. Enable the “Superfetch” service on Workstations to Automatic and Start and enable the “EnableSuperfetch” key is set to “3”.  HKLMSystemCurrentControlSetControlSession ManagerMemory ManagementPrefetchParameters
Oct 2016 ver 1.2 MalwareArchaeology.com Page 6 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later USING SECURITY TEMPLATES TO SET AND REMOVE FILE AUDITING: The following is how to create a Security template using the Microsoft Management Console (MMC). To create a custom security template using the MMC snap-in: 1. Open the MMC console, choose Start, and then choose Run 2. Type “mmc” in the Open box, and then choose OK 3. From the File menu, choose Add/Remove Snap-in 4. Select Add/Remove Snap-in dialog box, choose Add 5. Select the list of available snap-ins, select Security Templates, choose Add, choose Close, and then choose OK 6. In the MMC main window, under the Console Root node, expand the Security Templates node, right-click the root templates folder, and then choose New Template 7. Type a name and description for the template, and then choose OK 8. Choosing OK saves your template as an .inf file in:  C:Users<username>DocumentsSecurityTemplates  Or you may save them anywhere you would like 9. Add each folder and/or file you want to audit with the appropriate audit settings listed above CHECK THE AUDITING OF A FOLDER OR FILE: 1. To check what the file auditing for a given folder or file is set to, use the following PowerShell script:  Check_Auditing_Settings_File_Folder.ps1 – Check the auditing set on a specific folder or file  Available at www.Malwarearchaeology.com/logging

Recommended

Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Michael Gough
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Michael Gough
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Michael Gough
 
What's New in AlienVault v3.0?
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?
AlienVault
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
Martin Cabrera
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Anton Chuvakin
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 

Recommended

Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Michael Gough
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Michael Gough
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Michael Gough
 
What's New in AlienVault v3.0?
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?
AlienVault
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
Martin Cabrera
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Anton Chuvakin
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me
ER Swapnil Raut
 
Securing Windows web servers
Securing Windows web serversSecuring Windows web servers
Securing Windows web servers
Information Technology
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019
Moses Schwartz
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network security
Zhaoyang Wang
 
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Anton Chuvakin
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
Vic Hargrave
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
vlymfb
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
newbie2019
 
Troubleshooting the Windows Installer
Troubleshooting the Windows Installer Troubleshooting the Windows Installer
Troubleshooting the Windows Installer
AppDetails
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk
 
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
Alex Thissen
 
Melissa in medicina
Melissa in medicina Melissa in medicina
Melissa in medicina
classeterza
 
21° giornata e classifica
21° giornata e classifica21° giornata e classifica
21° giornata e classifica
Jessica Marcatili
 
OM_MAO_2012_Jun
OM_MAO_2012_JunOM_MAO_2012_Jun
OM_MAO_2012_Jun
MDO_Lab
 
Presentation1 dia de los muertis
Presentation1 dia de los muertisPresentation1 dia de los muertis
Presentation1 dia de los muertis
Logan Johnson
 

More Related Content

What's hot

Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
Vic Hargrave
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
vlymfb
 
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
Alex Thissen
 

What's hot (18)

Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me
 
Securing Windows web servers
Securing Windows web serversSecuring Windows web servers
Securing Windows web servers
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network security
 
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
Troubleshooting the Windows Installer
Troubleshooting the Windows Installer Troubleshooting the Windows Installer
Troubleshooting the Windows Installer
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
 
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
Logging tracing and metrics in .NET Core and Azure - dotnetdays 2020
 

Viewers also liked

OM_MAO_2012_Jun
OM_MAO_2012_JunOM_MAO_2012_Jun
OM_MAO_2012_Jun
MDO_Lab
 
Presentation1 dia de los muertis
Presentation1 dia de los muertisPresentation1 dia de los muertis
Presentation1 dia de los muertis
Logan Johnson
 
Letter of Recommendation_Splunk
Letter of Recommendation_SplunkLetter of Recommendation_Splunk
Letter of Recommendation_Splunk
Natasha Harvey
 
Proyecto de intr.cientifica
Proyecto de intr.cientificaProyecto de intr.cientifica
Proyecto de intr.cientifica
Pao EsteFania
 
Acqua fonte di vita
Acqua fonte di vitaAcqua fonte di vita
Acqua fonte di vita
classeterza
 

Viewers also liked (20)

Melissa in medicina
Melissa in medicina Melissa in medicina
Melissa in medicina
 
21° giornata e classifica
21° giornata e classifica21° giornata e classifica
21° giornata e classifica
 
OM_MAO_2012_Jun
OM_MAO_2012_JunOM_MAO_2012_Jun
OM_MAO_2012_Jun
 
Presentation1 dia de los muertis
Presentation1 dia de los muertisPresentation1 dia de los muertis
Presentation1 dia de los muertis
 
Letter of Recommendation_Splunk
Letter of Recommendation_SplunkLetter of Recommendation_Splunk
Letter of Recommendation_Splunk
 
Nach 40 Jahren kommt die Serialisierung - EurimPharm
Nach 40 Jahren kommt die Serialisierung - EurimPharmNach 40 Jahren kommt die Serialisierung - EurimPharm
Nach 40 Jahren kommt die Serialisierung - EurimPharm
 
Proyecto de intr.cientifica
Proyecto de intr.cientificaProyecto de intr.cientifica
Proyecto de intr.cientifica
 
My holiday in a lifetime.
My holiday in a lifetime.My holiday in a lifetime.
My holiday in a lifetime.
 
Proyecto final
Proyecto finalProyecto final
Proyecto final
 
Acqua fonte di vita
Acqua fonte di vitaAcqua fonte di vita
Acqua fonte di vita
 
Splunk 6.5.0-pivot tutorial (7)
Splunk 6.5.0-pivot tutorial (7)Splunk 6.5.0-pivot tutorial (7)
Splunk 6.5.0-pivot tutorial (7)
 
123123Presentation1
123123Presentation1123123Presentation1
123123Presentation1
 
Resiliencia y deporte
Resiliencia y deporteResiliencia y deporte
Resiliencia y deporte
 
2015 Future Book Forum Summary
2015 Future Book Forum Summary2015 Future Book Forum Summary
2015 Future Book Forum Summary
 
Project ψηφιακής 2013
Project ψηφιακής 2013Project ψηφιακής 2013
Project ψηφιακής 2013
 
Kata pengantar, abstrak dan daftar isi
Kata pengantar, abstrak dan daftar isiKata pengantar, abstrak dan daftar isi
Kata pengantar, abstrak dan daftar isi
 
Logika scientifika 3
Logika scientifika 3Logika scientifika 3
Logika scientifika 3
 
Acqua fonte di vita
Acqua fonte di vitaAcqua fonte di vita
Acqua fonte di vita
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
Windows OS Architecture in Summery
Windows OS Architecture in SummeryWindows OS Architecture in Summery
Windows OS Architecture in Summery
 

Similar to Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology

Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxLab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
DIPESH30
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
evonnehoggarth79783
 
Disabling windows file protection
Disabling windows file protectionDisabling windows file protection
Disabling windows file protection
Jhonathansmrt Smart
 
Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policy
Miguel de la Cruz
 
Controlling accesst 1 aug
Controlling accesst 1 augControlling accesst 1 aug
Controlling accesst 1 aug
Amit Sharma
 
Assessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docxAssessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docx
davezstarr61655
 
Windows FTK Forensics.pdf
Windows FTK Forensics.pdfWindows FTK Forensics.pdf
Windows FTK Forensics.pdf
ssusere6dc9d
 

Similar to Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology (20)

Useful Shareware / Freeware for Technical Communicators
Useful Shareware / Freeware for Technical CommunicatorsUseful Shareware / Freeware for Technical Communicators
Useful Shareware / Freeware for Technical Communicators
 
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxLab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Vista Presentation
Vista PresentationVista Presentation
Vista Presentation
 
Iwatch tech 1
Iwatch tech 1Iwatch tech 1
Iwatch tech 1
 
Disabling windows file protection
Disabling windows file protectionDisabling windows file protection
Disabling windows file protection
 
18IF004_CNS.docx
18IF004_CNS.docx18IF004_CNS.docx
18IF004_CNS.docx
 
Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policy
 
Kaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportKaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_report
 
How to generate,collect and upload ocum logs
How to generate,collect and upload ocum logsHow to generate,collect and upload ocum logs
How to generate,collect and upload ocum logs
 
Clean mac
Clean macClean mac
Clean mac
 
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epoKyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
 
Controlling accesst 1 aug
Controlling accesst 1 augControlling accesst 1 aug
Controlling accesst 1 aug
 
Desktop and server securityse
Desktop and server securityseDesktop and server securityse
Desktop and server securityse
 
Desktop and Server Security
Desktop and Server SecurityDesktop and Server Security
Desktop and Server Security
 
How to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guideHow to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guide
 
Firewall Monitoring 1.1 Security Use Case Guide
Firewall Monitoring 1.1 Security Use Case Guide Firewall Monitoring 1.1 Security Use Case Guide
Firewall Monitoring 1.1 Security Use Case Guide
 
Assessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docxAssessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docx
 
Windows FTK Forensics.pdf
Windows FTK Forensics.pdfWindows FTK Forensics.pdf
Windows FTK Forensics.pdf
 

More from Michael Gough

More from Michael Gough (20)

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology

  • 1. Oct 2016 ver 1.2 MalwareArchaeology.com Page 1 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later RESOURCES: Places to get more information 1. MalwareArchaeology.com/cheat-sheets - More Windows cheat sheets and scripts to assist in your audit settings. 2. Log-MD.com – The Log Malicious Discovery tool reads security related log events and settings. Use Log-MD to audit your log settings compared to the “Windows Logging Cheat Sheet” and Center for Internet Security (CIS) to help with configuring your audit policy and refine file and registry auditing. List Event ID 4663 to see what files and folders might be noise and can be removed from your audit policy. 3. technet.microsoft.com – Information on Windows auditing 4. https://msdn.microsoft.com/en-us/library/bb742512.aspx - Using Security Templates to set audit policies 5. Google! – But of course. WHY AUDIT FILES AND FOLDERS: Files are often added or changed by hackers and malware. By auditing key file and folder locations, any additions or changes made by an attacker can be captured in the logs, harvested by a log management solution and potentially alerted on or gathered during an investigation. Building a base configuration for file and folder auditing provides you a great starting point to build upon. As you mature your logging program, you can build upon and develop it as you find new locations that are important to monitor. We recommend as a part of any Information Security program that you implement and practice “Malware Management”. You can read more on what “Malware Management” is and how to begin doing in here:  www.MalwareManagement.com The basic idea of Malware Management is, as you find file and folder locations reported in an incident response firm’s malware analysis, virus/malware reports and your own incidents and investigations, you can expand on the base auditing listed in this cheat sheet and make it more mature and applicable to your specific needs or requirements. This “Windows File Auditing Cheat Sheet” is intended to help you get started with basic and necessary File and Folder Auditing. This cheat sheet includes some very common items that should have auditing enabled, configured, gathered and harvested for any Log Management, Information Security program or other security log gathering solution. Start with these settings and add to the list as you understand better what is in your logs and what you need to monitor and alert on.
  • 2. Oct 2016 ver 1.2 MalwareArchaeology.com Page 2 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later ENABLE AND CONFIGURE:: 1. FILE AUDITING: In order to collect file and folder auditing events (Event ID 4663) you must first apply the settings found in the “Windows Logging Cheat Sheet”. These settings will allow a Windows based system to collect any events on files and folders that have auditing enabled. CONFIGURE: 1. LOCAL LOG SIZE: Increase the maximum size of your local Security log. Proper auditing will increase log data beyond the default settings, your goal should be to keep local security logs for around 7 days.  Security log set to 1GB (1,000,000KB) or larger (yes this is huge compared to defaults) INFORMATION: 1. EVENT ID: There is only one Event ID that will appear in the Security log when file and folder auditing is enabled, 4663.  4663 - An attempt was made to access an object. This is the only Event ID that will record the details of the folder(s) and file(s) created as well as the process name that performed the actions. REFINING AUDITING: When using file and folder auditing, refinement will be needed in order to collect only the entries having actual security value. Enabling folders that have a high rate of changes will fill up your logs causing them to rotate faster than you might want to retain them and miss files you might actually want to catch. In addition, logging more than you need when using a log management solution will have a potential impact to licensing and storage requirements. It is important to test and refine file and folder auditing before applying it across your organization. Use Log-MD to assist you in refining your file and folder audit policy which can be found here:  Log-MD.com If you are examining malware in a lab for example, or doing an incident response investigation, over auditing may be perfectly acceptable. Use the built-in Windows wevtutil.exe utility, PowerShell (get-eventlog), a security log tool like Log- MD or your log management solution to review what is being captured and remove files and folders that are excessively noisy and do not have significant security importance. When setting auditing of files and folders there are some decisions on what to monitor. Using Explorer to select the folder and set the auditing manually, you can see what options there are as seen from the image below. The goal of this cheat sheet is to get you started using file and folder auditing on well-known folders and to enable just enough to provide security value, but not too much as to create a lot of useless noise. What follows is our recommendation to get started which you may tweak and improve as you need. The main goal is to look for things that are newly added by hackers and/or malware. Monitoring for all changes is rather noisy and excess noise could cause you to miss a simple file creation.
  • 3. Oct 2016 ver 1.2 MalwareArchaeology.com Page 3 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later CONFIGURE: Select a Folder or file you want to audit and monitor. Right-Click the Folder, select Permissions – Advanced – Auditing – Add – EVERYONE – (check names), OK. 1. Apply onto – “THIS FOLDER and FILES” or “THIS FOLDER, SUBFOLDERS and FILES” (or what you want/need). 2. Select ‘Create files / write data’, ‘Create folders / append data’, ‘Write extended attributes’, ‘Delete’, ‘Change permissions’ & ‘Take ownership’ to audit. 3. Be careful, setting auditing to ‘This folder, subfolders and files’ as this can generate a lot of data and thus noise. CONFIGURE: These are the only items that are recommended be set to optimize what is needed security wise and keep noise to a minimum. You may expand on these settings as necessary for your environment, but these settings are a good place to start. User:  EVERYONE Applies to:  “This folder, subfolders and files” – Audit all items in this folder and all subfolders OR  “This folder and files” - Audit only the files in this folder and NOT the subfolders Access: Only select these items to keep down on the noise  Create files / write data – File created  Create folders / append data – Folder created  Write extended attributes – Metadata that can be placed in a file  Delete – File is deleted  Change permissions – permissions of a file change  Take ownership – ownership changed
  • 4. Oct 2016 ver 1.2 MalwareArchaeology.com Page 4 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later CONFIGURE: Recommend Folder and Files to enable auditing on 1. FOLDERS TO AUDIT: THIS FOLDER AND FILES ONLY: Do NOT audit subfolders on these directories  C:Program Files  C:Program FilesInternet Explorer  C:Program FilesCommon Files  C:Program Files (x86)  C:Program Files (x86) Common Files  C:ProgramData  C:Windows  C:WindowsSystem32  C:WindowsSystem32Drivers  C:WindowsSystem32Driversetc  C:WindowsSystem32Sysprep  C:WindowsSystem32wbem  C:WindowsSystem32WindowsPowerShellv1.0  C:WindowsWeb  C:WindowsSysWOW64  C:WindowsSysWOW64Drivers  C:WindowsSysWOW64wbem  C:WindowsSysWOW64WindowsPowerShellv1.0 THIS FOLDER, SUBFOLDERS AND FILES:  C:Boot  C:Perflogs  Any Anti-Virus folder(s) used for quarantine, etc.  C:UsersAll UsersMicrosoftWindowsStart MenuProgramsStartup  C:UsersPublic  C:Users*AppDataLocal  C:Users*AppDataLocalTemp  C:Users*AppDataLocalLow  C:Users*AppDataRoaming  C:WindowsScripts  C:WindowsSystem  C:WindowsSystem32GroupPolicyMachineScriptsStartup Consider Scripts if no other dirs  C:WindowsSystem32GroupPolicyMachineScriptsShutdown  C:WindowsSystem32GroupPolicyUserScriptsLogon Consider Scripts if no other dirs  C:WindowsSystem32GroupPolicyUserScriptsLogoff  C:WindowsSystem32Repl Servers only   C:WindowsSystem32Tasks  C:Windowssystem32configsystemprofileAppData  C:WindowssysWOW64sysprep
  • 5. Oct 2016 ver 1.2 MalwareArchaeology.com Page 5 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later CONFIGURE:: EXCLUDE NOISY ITEMS: These folders will create events that do not provide much value. After setting auditing on the parent folder, remove auditing from these folders and any other files and folders you find overly noisy with little security benefit.  C:ProgramDataMicrosoftRACTemp  C:ProgramDataMicrosoftRACPublishedDataRacWmiDatabase.sdf  C:ProgramDataMicrosoftRACStateDataRacDatabase.sdf  C:ProgramData<Anti-Virus>Common Framework Insert your AV folder(s)  C:ProgramDataMicrosoftSearchDataApplicationsWindowsMSS.chk  C:ProgramDataMicrosoftSearchDataApplicationsWindowsMSS.log  C:Users*AppDataLocalGDIPFONTCACHEV1.DAT  C:Users*AppDataLocalGoogleChromeUser Data  C:Users*AppDataLocalMicrosoftWindowsExplorerthumbcache_*  C:Users*AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5  C:Users*AppDataLocalMicrosoftOffice  C:Users*AppDataLocalMicrosoftOutlook  C:Users*AppDataLocalMicrosoftWindowsPowerShellCommandAnalysis  C:Users*AppDataLocalMozillaFirefoxProfiles  C:Users*AppDataLocalLowMicrosoftCryptnetUrlCache  C:Users*AppDataRoamingMicrosoftExcel  C:WindowsSysWOW64configsystemprofileAppDataLocalLowMicrosoftCryptnetUrlCache  Any other normal applications that you have installed that produce a lot of log entries without significant security value. OPTIONS TO SET FILE AUDITING: There are four ways to set file and folder auditing on each folder: 1. Create a security template that is applied using Group Policy and/or secedit. This is the most effective way of doing it for a large amount of systems. a. https://msdn.microsoft.com/en-us/library/bb742512.aspx 2. Set with a PowerShell script. Though this method does not work on certain directories owned by TrustedInstaller and changing the ownership is not recommended 3. Set with a SetACL.exe, a utility by www.helgeklein.com 4. Set manually via Explorer. This does not scale as each system must be set manually, but may be fine for a malware lab or investigation of a single or a few systems. PREFETCH FOLDER AUDITING: Auditing the Windows Prefetch or Superfetch folder is a good forensic addition since it will not generate very much log data. In Win 7 and later with systems with an SSD, it is disabled. Enabling on Servers is an option. Enable the “Superfetch” service on Workstations to Automatic and Start and enable the “EnableSuperfetch” key is set to “3”.  HKLMSystemCurrentControlSetControlSession ManagerMemory ManagementPrefetchParameters
  • 6. Oct 2016 ver 1.2 MalwareArchaeology.com Page 6 of 6 WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later USING SECURITY TEMPLATES TO SET AND REMOVE FILE AUDITING: The following is how to create a Security template using the Microsoft Management Console (MMC). To create a custom security template using the MMC snap-in: 1. Open the MMC console, choose Start, and then choose Run 2. Type “mmc” in the Open box, and then choose OK 3. From the File menu, choose Add/Remove Snap-in 4. Select Add/Remove Snap-in dialog box, choose Add 5. Select the list of available snap-ins, select Security Templates, choose Add, choose Close, and then choose OK 6. In the MMC main window, under the Console Root node, expand the Security Templates node, right-click the root templates folder, and then choose New Template 7. Type a name and description for the template, and then choose OK 8. Choosing OK saves your template as an .inf file in:  C:Users<username>DocumentsSecurityTemplates  Or you may save them anywhere you would like 9. Add each folder and/or file you want to audit with the appropriate audit settings listed above CHECK THE AUDITING OF A FOLDER OR FILE: 1. To check what the file auditing for a given folder or file is set to, use the following PowerShell script:  Check_Auditing_Settings_File_Folder.ps1 – Check the auditing set on a specific folder or file  Available at www.Malwarearchaeology.com/logging